diff options
author | Peter Maydell <peter.maydell@linaro.org> | 2018-03-23 18:26:45 +0000 |
---|---|---|
committer | Peter Maydell <peter.maydell@linaro.org> | 2018-03-23 18:26:45 +0000 |
commit | a2e2d7fc46fd8be875035d9bb5c64788389f65c2 (patch) | |
tree | ef81cbf5f500423f236fa5bc75533b3be3cc1f7b /hw/intc | |
parent | 544156efcf4d807507d223075c26702a1254880e (diff) | |
download | qemu-a2e2d7fc46fd8be875035d9bb5c64788389f65c2.zip qemu-a2e2d7fc46fd8be875035d9bb5c64788389f65c2.tar.gz qemu-a2e2d7fc46fd8be875035d9bb5c64788389f65c2.tar.bz2 |
hw/intc/arm_gicv3: Fix secure-GIC NS ICC_PMR and ICC_RPR accesses
If the GIC has the security extension support enabled, then a
non-secure access to ICC_PMR must take account of the non-secure
view of interrupt priorities, where real priorities 0x00..0x7f
are secure-only and not visible to the non-secure guest, and
priorities 0x80..0xff are shown to the guest as if they were
0x00..0xff. We had the logic here wrong:
* on reads, the priority is in the secure range if bit 7
is clear, not if it is set
* on writes, we want to set bit 7, not mask everything else
Our ICC_RPR read code had the same error as ICC_PMR.
(Compare the GICv3 spec pseudocode functions ICC_RPR_EL1
and ICC_PMR_EL1.)
Fixes: https://bugs.launchpad.net/qemu/+bug/1748434
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 20180315133441.24149-1-peter.maydell@linaro.org
Diffstat (limited to 'hw/intc')
-rw-r--r-- | hw/intc/arm_gicv3_cpuif.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c index 5cbafaf..26f5eed 100644 --- a/hw/intc/arm_gicv3_cpuif.c +++ b/hw/intc/arm_gicv3_cpuif.c @@ -836,7 +836,7 @@ static uint64_t icc_pmr_read(CPUARMState *env, const ARMCPRegInfo *ri) /* NS access and Group 0 is inaccessible to NS: return the * NS view of the current priority */ - if (value & 0x80) { + if ((value & 0x80) == 0) { /* Secure priorities not visible to NS */ value = 0; } else if (value != 0xff) { @@ -871,7 +871,7 @@ static void icc_pmr_write(CPUARMState *env, const ARMCPRegInfo *ri, /* Current PMR in the secure range, don't allow NS to change it */ return; } - value = (value >> 1) & 0x80; + value = (value >> 1) | 0x80; } cs->icc_pmr_el1 = value; gicv3_cpuif_update(cs); @@ -1609,7 +1609,7 @@ static uint64_t icc_rpr_read(CPUARMState *env, const ARMCPRegInfo *ri) if (arm_feature(env, ARM_FEATURE_EL3) && !arm_is_secure(env) && (env->cp15.scr_el3 & SCR_FIQ)) { /* NS GIC access and Group 0 is inaccessible to NS */ - if (prio & 0x80) { + if ((prio & 0x80) == 0) { /* NS mustn't see priorities in the Secure half of the range */ prio = 0; } else if (prio != 0xff) { |